You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

Anyone who's followed stats over the last couple of years knows China, the US and Russia rotate in the most malicious activity top five. Plus a scan originating from China doesn't automagically mean it's the chinese, anyone could be using those machines.

Quote:

Originally Posted by tronayne

Script kiddies and port scanners are one thing, state-sponsored attacks are quite another. Do countries spy on one another? Of course they do and have done so for thousands of years in one form or another. It seem, though, that China has taken it to a new level.

That's only what's been discovered and cleared for publication. And the recent spate of APTs weren't exactly all chinese efforts, right?..

Personally I don't see the need for fail2ban in this situation. Its one more package he has to install

True, but since the slackware installation instructions tell you to install "everything unless you know what you're doing" that's somewhat debatable I think ;-p Anyway, if you run Python already the package itself doesn't take up much space.

Quote:

Originally Posted by chemfire

and one more thing that has to be memory resident.

Long time since I read that phrase and argument. Do you actually know how much memory Python would need for running fail2ban or if the OP has very limited RAM?

Quote:

Originally Posted by chemfire

(they just give up and move on when they start seeing the port as closed after 5 hits)

I've seen single hosts scan for hours on end at n connections per second.

That's only what's been discovered and cleared for publication. And the recent spate of APTs weren't exactly all chinese efforts, right?..

Advanced persistent threat (APT) network attack have, indeed, been rising -- and originating from all over the place -- so, no, probably not all of Chinese origin. However, the evidence seems to indicate the majority originating are in China.

Keep in mind that there a 12-story building on the outskirts of Shanghai that is the headquarters of Unit 61398 of the People’s Liberation Army.

The building off Datong Road, surrounded by restaurants, massage parlors and a wine importer, is the headquarters of P.L.A. Unit 61398. A growing body of digital forensic evidence — confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower.

And, of course, not just the U.S. is being targeted -- so's everybody else with anything worth knowing.

Is the article worth reading? Is The New York Times to be believed? Is China (as in state-sponsored) doing this?

I think ignoring or pooh-poohing is at your peril. You can, of course, decide for yourself.

I'll agree that the system requirements of fail2ban are not something to be concerned with; although if you are running on a purpose built firewall type appliance box with only a couple hundred megs of ram it might matter. There are still human maintenance issue though, you have an application that does not ship with the platform so will need to be considered at each upgrade; and kept current itself and ban lists to manage. Not munch effort but certainly more than the iptables xt-recent solution which is pretty much shove in rc.firewall and forget about it.

As to the APT issue that is clearly not his problem. No APT would have thrown the dictionary at sshd like that unless they already knew the target did not review logs and has not SEIM or automatic log analysis in place. While I have seen those guys do slow scans are part of recon etc; and they might even try the obious root/toor admin/p@$$w0rd type things on an application once that does not work they are not going to try and run a dictionary attack for months at an average rate of 1 attempt every 60 seconds. They have better things to do.

They are going to A) spear phish you and get you do something that will let them back in; java applet reverse shell on a cloned website for example. B) identify something like sshd you are running; find or develop an exploit for it offline and than crack it in one attempt against you. Fail2ban and firewalling won't help you there. Good inline IPS might but most likely not. Which gets you back to the oldest solutions. Make sure everything you have is patched and minimize the attack surface don't run anything you don't need.